I'm trying to separate my home network into 3 VLANs with the IDs 30, 20, 10. I've set-up the Unifi AP to broadcast 3 SSIDs which also have VLAN IDs 30, 20, 10. That AP is connected on eth4 on my RB5009. Let's assume all devices on the VLANs will connect through the AP for now.
I can successfully connect wirelessly to each one of those SSIDs, get an IP address from DHCP and access the Internet.
The problem is that the firewall somehow fails to block cross-VLAN traffic (no VLAN isolation). For example:
While on device with the address 192.168.30.2 I ping 192.168.20.2 - and while I expected it to fail, the ping proceeds successfully. If I monitor the ping exchange in Torch and collect the VLAN Id while it goes on, there's no VLAN Id in the results row where the "Src: 192.168.30.2, Dst: 192.168.20.2" connection is shown. So perhaps that's a symptom.
I've also looked at the firewall rules and the key ones for isolation should be (taken from my .rsc at the bottom of this post):
Code: Select all
add action=accept chain=forward comment="vlan to wan traffic" \
connection-state=new in-interface-list=VLANS out-interface-list=WAN
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
My problem looks very similar to what's described below this code block https://help.mikrotik.com/docs/display/ ... ter_198473 . I've read viewtopic.php?f=23&t=143620 (and respective .rsc files) and the Bridge VLAN Table manual but I haven't been able to apply the information from there to fix my problem.
Could somebody please share their thoughts on why this could be happening?
Code: Select all
# jul/03/2022 18:21:16 by RouterOS 7.3.1
# software id = FZWK-5BAJ
#
# model = RB5009UG+S+
# serial number = HC907M8KM80
/interface bridge
add admin-mac=DC:2C:6E:DD:8B:A8 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
# disable unused ifaces
/interface ethernet
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether4 name=company-vlan vlan-id=30
add interface=ether4 name=dev-vlan vlan-id=20
add interface=bridge name=home-vlan vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLANS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-gcm pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=company ranges=192.168.30.2-192.168.30.254
add name=dev ranges=192.168.20.2-192.168.20.254
add name=home ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=company interface=company-vlan name=company-dhcp
add address-pool=dev interface=dev-vlan name=dev-dhcp
add address-pool=home interface=home-vlan name=home-dhcp
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge tagged=ether4,bridge vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether4 vlan-ids=30
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=company-vlan list=VLANS
add interface=dev-vlan list=VLANS
add interface=home-vlan list=VLANS
add interface=company-vlan list=LAN
add interface=dev-vlan list=LAN
add interface=home-vlan list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.30.1/24 interface=company-vlan network=192.168.30.0
add address=192.168.20.1/24 interface=dev-vlan network=192.168.20.0
add address=192.168.10.1/24 interface=home-vlan network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.248 mac-address=E4:5F:01:6E:28:C2 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.88.1 gateway=192.168.10.1
add address=192.168.20.0/24 comment=me dns-server=192.168.88.1 gateway=\
192.168.20.1
add address=192.168.30.0/24 comment=company dns-server=192.168.88.1 gateway=\
192.168.30.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=443,80 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="vlan to wan traffic" \
connection-state=new in-interface-list=VLANS out-interface-list=WAN
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
set 0 proposal=*1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Warsaw
/system routerboard settings
set cpu-frequency=1400MHz
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN